Georgia Institute of Technology Researchers Bridge the Airgap

An anonymous reader writes Hacked has a piece about Georgia Institute of Technology researchers keylogging from a distance using the electromagnetic radiation of CPUs. They can reportedly do this from up to 6 meters away. In this video, using two Ubuntu laptops, they demonstrate that keystrokes are easily interpreted with the software they have developed. In their white paper they talk about the need for more research in this area so that hardware and software manufacturers will be able to develop more secure devices. For now, Faraday cages don't seem as crazy as they used to, or do they?

Add noise

I was working at a defense contractor in the '80's when the whole "Tempest" program started.

Rather than shield equipment, we simply added a small amount of broadband noise.

The problem isn't to limit emission: The problem is to frustrate detection.

Re:Add noise

[Crashmarik]

Really it's amazing how easy it is for people to forget things like Van Eck phreaking http://en.wikipedia.org/wiki/V... have been around for going on three decades now

Re:Add noise

[fuzzyfuzzyfungus]

I'd be curious to know (I'm definitely underinformed, so this is an honest question) whether that tactic has lost some effectiveness over time. The classic monitoring-RF-to-read-CRTs stuff depended on getting an adequately clean copy of the distinctly analog output of the CRT. Now, all signals are fundamentally analog signals; but digital signals are analog signals designed to make guessing the correct value really easy(since there are only two possibilities, rather than an arbitrary number of them); and now more than ever it's a safe guess that sensitive data will be heading over a number of RF-emitting digital busses, from the keyboard to the computer, within the computer, and likely to the monitor as well.

Does the broadband noise still drown out the desired signal sufficiently to prevent reconstruction, or does our increased emphasis on high-speed digital busses (often designed to operate with some amount of error correction in the event of cheap lousy hardware being cheap and lousy) make it more tractable to either unambiguously pick the correct interpretation of a noisy input, or make a number of guesses and use known features of the bus to help eliminate the incorrect ones?

Re:Add noise

[John.Banister]

What if you build a Faraday Cage and put the jammer inside it? Then if the FCC shows up, they can help you improve your Faraday cage.

Or, if you're in a spy movie, you could have an array of jamming antennas that leave a quieter zone corresponding to a weakness in your Faraday cage, and right there you broadcast a signal you generate that interprets back to the random browsing of this fellow from India whom you pay to have spyware recording and sending you his online activities.

Re:Add noise

[tlhIngan]

I'd be curious to know (I'm definitely underinformed, so this is an honest question) whether that tactic has lost some effectiveness over time. The classic monitoring-RF-to-read-CRTs stuff depended on getting an adequately clean copy of the distinctly analog output of the CRT. Now, all signals are fundamentally analog signals; but digital signals are analog signals designed to make guessing the correct value really easy(since there are only two possibilities, rather than an arbitrary number of them); and now more than ever it's a safe guess that sensitive data will be heading over a number of RF-emitting digital busses, from the keyboard to the computer, within the computer, and likely to the monitor as well.

  Does the broadband noise still drown out the desired signal sufficiently to prevent reconstruction, or does our increased emphasis on high-speed digital busses (often designed to operate with some amount of error correction in the event of cheap lousy hardware being cheap and lousy) make it more tractable to either unambiguously pick the correct interpretation of a noisy input, or make a number of guesses and use known features of the bus to help eliminate the incorrect ones?

Well, it has lost a lot of effectiveness because we switched from CRTs to LCDs - a CRT has very distinct emission patterns because it has to drive the electron beam around. So you can detect when the syncs happen because they're driven by huge magnetic field coils on the side of the CRT in a standard frequency and pattern (vsync happens at the Hz level, hsync at the kHz level), and the amplifiers that drive the electron guns emit a lot of RF as they operate.

These days the emissions are far lower because we're not having to accelerate an electron beam, so the amplitudes are lower. Sure you can sniff the signal cabling but unless you're using analog cabling, most external signalling use a form of encoding that's designed to minimize RF emissions. Not because of Van Eck, but because they want to spread the peaks of emissions across a broadband range which makes it easier to pass RF emissions tests (e.g., FCC emissions tests).

So using a DVI or HDMI cable causes the signal to smear (TMDS - transition minimized differential signalling - transitions cause the big spikes in RF emissions, so if you can minimize them, you can increase rise/fall times which lowers RF emissions, spreading and smearing the signal across a wider frequency band and trying to hide it in the noise).

Of course, most digital busses don't do this (they assume the entire system will be RF shielded), same as CPUs so with the right receiver, those signals show up pretty clearly, especially if you can compromise the RF shielding.

Re: Add noise

[cbelt3]

Properly shielded equipment uses different methods to 'break the cage'. It's been many decades, but some of the heavily shielded designs I did in the 80's involved opto-isolators. Yes, that's right. Want to avoid radiating information ? Use light.

Keep in mind that the structure of the faraday cage depends on the frequency of the data being transmitted. It does not have to be unbreakable tin foil. Properly sized metal mesh will also do the job. Just ask anyone who tries to get a Wifi signal through an old wall with expanded metal lath and plaster.

Re:Add noise

[rtb61]

In actual use faraday cages can be readily subverted by incoming power lines. For a building wide faraday cage to be secure power lines must be conditioned to prevent data interception via subverted hardware within the faraday cage, otherwise that unsecured wire leads right from the supposedly secure hardware to a power station many kilometres away and connected to every other device hooked up to the same power source. Other things must also be looked at like water pipes, tapping into the earth circuit or even using the farady cage itself as conductor. Digital security is a mindless headfuck, no matter what you do to secure it, it can be subverted, which is why manual system are becoming preferred again for real serious security as they require direct personal access.

Old news

Missing from the summary: THEY HAVE SOFTWARE INSTALLED ON THE VICTIM LAPTOP that modules the CPU usage.

You don't need any fancy equipment, any AM radio will do.

Re:Old news

[fuzzyfuzzyfungus]

Speaking of AM radios and software on the victim computer: this classic.

Unfortunately only works on CRTs; but it's a heartwarmingly neat trick.

Re:Old news

[jeffmeden]

Missing from the summary: THEY HAVE SOFTWARE INSTALLED ON THE VICTIM LAPTOP that modules the CPU usage.

You don't need any fancy equipment, any AM radio will do.

Given how successful Stuxnet was at infecting across the airgap (by way of poor USB policies) it is rather plausible that you could rely on a trojan horse (in the most literal sense of the term) to get inside and start broadcasting sensitive information out, be they keystrokes or fragments of files or whatever.

you like my new necklace?

[Lawrence_Bird]

Somehow I don't think a secure location is going to be too worried about this type of attack unless someone can show it working with an extremely small receiver which is also able to log the data for later use. Also note that even at the slow rate she was typing it still missed characters.

So while academically interesting, this seems to be something of very limited concern. Of course, if you see an antenna like that in the coffeeshop you might want to leave.

Old news and still needs pwned access

[ramriot]

Firstly this is old news,
Secondly almost the first thing said in the video is that they had to install a driver on the target to force it to emit signals they could pull out of the noise. So its a nice idea that if you have access to put software on the PC you can later get it to emit information, but it you are going to do that then why not use what else is there because how often is all the targets other wireless interfaces fully disabled. I suspect unless your name is Snowden, not very often. Further, if you are that worried about leaking information that you go fully air gapped you would not be trusting a malleable OS to run from, much better to run from a live CD.

Re:define crazy.

[fuzzyfuzzyfungus]

The trick is that security measures have costs, in time, money, user convenience, etc. and it is considered 'crazy'(in the weak sense of 'not sensible', not the psych-ward sense) to voluntarily impose costs on yourself that are out of proportion to the costs of the expected threat.

There's always something you could be doing more securely; but only sometimes is it worth it.

Re:Oh, it was never "crazy"...

[mlts]

I would guess it would be cheaper in most cases for an attacker to black-bag the hardware (evil maid attack), or just use xkcd.com/538 and a wrench.

TEMPEST attacks are very low on my worry list. If I were running an organization that dealt with that sensitive a data, it would be well tucked away in a building designed from the ground up to keep cameras and detectors quite a ways from the juicy stuff. However, before I even bothered with that, I'd be working on physical security, network security, various encryption levels, and having pentesters in to actually verify that the stuff in place is actually doing the job versus looking cool.